DSPM, shadow data, and AI-era cloud risk: are your controls keeping up?

TL;DR: DSPM is positioned as a way to continuously discover, classify, and secure sensitive data across cloud and hybrid environments as AI-driven threats and shadow data increase, according to Netwrix and the 2025 Cybersecurity Trends Report. The deeper issue is that visibility into data exposure now determines whether IAM, DAG, and PAM can actually reduce risk or merely document it.

NHIMG editorial — based on content published by Netwrix: How DSPM Tackles AI and Cloud Security Threats

By the numbers:

• 49% of workloads already in the cloud.
• 26% of businesses report struggling with inconsistent tools and processes.
• 73% of organizations identified data security as their top priority in 2025.

Questions worth separating out

Q: How should security teams use DSPM to improve cloud data governance?

A: Security teams should use DSPM to identify where sensitive data resides, who can reach it, and which repositories create the highest exposure.

Q: Why do cloud and SaaS environments make data security harder to govern?

A: Cloud and SaaS environments increase the number of places sensitive data can land, move, and be copied without consistent ownership.

Q: What breaks when organisations manage access without data classification?

A: Access governance breaks down when teams can see entitlement but not sensitivity.

Practitioner guidance

• Baseline sensitive data before revisiting access models Run discovery across cloud, SaaS, and unmanaged repositories first, then use the results to re-evaluate which identities truly need access to which datasets.
• Tie entitlement reviews to data sensitivity Require IAM, DAG, and PAM reviewers to see classification results alongside entitlements so they can judge whether an access path is acceptable in context.
• Prioritise shadow data repositories with business impact Focus remediation on repositories that contain regulated or mission-critical information, especially where access is broad and inventory confidence is low.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step DSPM workflow details for discovery, classification, and risk prioritisation across cloud and hybrid estates.
• How the article positions DSPM alongside IAM, DAG, and PAM in day-to-day security operations.
• The article's own 2025 survey findings and interpretation of AI-driven data security pressure.
• Vendor-specific product framing and implementation context for Netwrix DSPM.

👉 Read Netwrix's analysis of how DSPM tackles AI and cloud security threats →

DSPM, shadow data, and AI-era cloud risk: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →